- Microsoft is dropping its password expiration policies for Windows version 1903 and Windows Server version 1903, according to its security configuration baseline settings, first spotted by Ars Technica.
- The policy originally required users to reset passwords every 60 days. The requirements for length, history and complexity of passwords are still in effect.
- Microsoft highlighted studies proving password resets are not as effective as once believed and suggests "enforcing banned-password lists" and multi-factor authentication are better alternatives.
Microsoft's password reset policy was a staple for users, though according to Microsoft, an "ancient" one. Having a routine password refresh is "a defense only against the probability that a password will be stolen" during the time it's active, according to the announcement.
If a password isn't stolen, changing it doesn't add to the existing security posture.
Initially, the logic behind frequent password resets was obvious: Human-created passwords are easy for hackers to guess or predict. So no matter the frequency of password changes, it is not a complete security strategy for user credential management, argues Microsoft.
Passwords aren't going anywhere; there will just be newer standards. Organizations are also leaning toward the passwordless movement, with the introduction of biometrics and geographic identifiers making it harder for hackers to compromise behavioral analysis.
Weak passwords are an Achilles heel with users opting for easy-to-remember passwords like "123456" and "password." Such passwords contribute to the 300 billion passwords that are at risk of compromise by 2020, which could add up to $6 trillion in damages by 2021.
"Removing a low-value setting from our baseline and not compensating with something else in the baseline does not mean we are lowering security standards," according to Microsoft. The elimination of the 60-day requirement is a push toward a more effective security strategy.
Recycling passwords is a common practice, which makes Microsoft's policy less effective. Businesses could bypass password-related incidents with encrypted databases, routine patch deployments and avoiding log-ins on public networks.